Re: Malicous Domains and IDS/IPS signatures

["Sanjay R" <2sanjayr () gmail com>]

hi Mayanak

On Tue, Nov 4, 2008 at 12:07 PM, Bhatnagar, Mayank
<mbhatnagar () ipolicynetworks com> wrote:
> Hi,
>
> Often we find while analyzing malwares or binaries, some malicious
> domains become inactive after some period of time.
>
> They may be active during initial period of activity, malwares when
> executed connecting to these domains, these domains then sending
> malicious files....binaries etc.....but just as soon as this information
> is being known or the behavior has been captured by IDS/IPS signatures
> blocking this domain, soon the domain itself become inactive.
>
> What do you feel should be the responsibility of IDS/IPS solution
> providers? I feel keeping track of such domains (live or down) in an
> automated manner may be one possibility, keeping a signature for some
> time as a measure of protection another. Also maintaining blacklists of
> these domains may be helpful.
this is how a blacklist is maintained and it is being done already. I
dont know about the views of IPS/IDS vendors on maintaining a list as
its more a marketing funda with added (additional) feature (along with
full featured IPS/IDS). as far as a pure IPS/NIDS is concerned, its
role is to prevent/detect any such malicious file. Its not an option
for misused based IPS/NIDS, but a must have feature to keep
signatures.
another thing that i want to mention (keeping products/marketing a
side), there is a diffence between IPS and ACLS of a (proxy) firewall.
the later keeps a static ACL (e.g. block some IP or domain), whereas
former is dynamic and blocks some IP/domain only when it detects
something malicious from that. so blocking a domain statically (or
permanently) is not, as such, a function of IPS. however, it can be
done by maintaining a blacklist of URLs
> How should one handle such cases? Any ideas?
>
> Thanks & Regards,
> Mayank
>
> "DISCLAIMER:
> This message is proprietary to iPolicy Networks-Security Products division of Tech Mahindra Limited and is intended 
> solely for the use of the individuals to whom it is addressed. It may contain privileged or confidential information 
> and should not be circulated or used for any purpose other than for what is intended. If you have received this 
> message in error, please notify the originator immediately. If you are not the intended recipient, you are notified 
> that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. iPolicy 
> Networks-Security Products division of Tech Mahindra Limited accepts no responsibility for loss or damage arising 
> from the use of the information transmitted by this email including damage from virus."
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ------------------------------------------------------------------------



-- 
Computer Security Learner

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------